Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0.
Published: 2026-03-24
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Internal network access via SSRF bypass
Action: Patch immediately
AI Analysis

Impact

A flaw in Wallos allows an authenticated user to store an internal or private IP address as a webhook notification URL. The validate_webhook_url_for_ssrf() protection was added only to test endpoints and not to the save endpoints, so when the scheduled sendnotifications.php task runs it resolves the webhook URL without SSRF validation. This omission lets the application make HTTP requests to any internal IP, potentially exposing internal services, retrieving sensitive data, or facilitating lateral movement within the network. The weakness is categorized as an SSRF vulnerability (CWE-918).

Affected Systems

The vulnerability exists in all releases of Ellite Wallos prior to version 4.7.0. Administrators using any earlier build should be aware that the system can accept and forward requests to internal or private addresses configured as notification URLs.

Risk and Exploitability

The CVSS score of 7.7 indicates a high risk, and the EPSS score of less than 1% suggests low current exploitation prevalence. The issue is not listed in CISA’s KEV catalog. The attack vector requires authentication to the application and the ability to save a webhook URL; once the cron job runs the malicious request is executed automatically. While the impact is limited to internal network resources, the potential for further exploitation depends on the services exposed on those internal IP addresses.

Generated by OpenCVE AI on March 26, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 4.7.0 patch or later to Wallos
  • Verify that all webhook URLs are normalized and validated against internal IP ranges before storage
  • If possible, disable or postpone the sendnotifications.php cron job until the patch is applied
  • Restrict user permissions so that only trusted administrators can modify notification URLs

Generated by OpenCVE AI on March 26, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Wallosapp
Wallosapp wallos
CPEs cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*
Vendors & Products Wallosapp
Wallosapp wallos

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ellite
Ellite wallos
Vendors & Products Ellite
Ellite wallos

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0.
Title Wallos: SSRF Bypass - Incomplete Fix for CVE-2026-30839/30840
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Ellite Wallos
Wallosapp Wallos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:27:22.399Z

Reserved: 2026-03-19T17:02:34.170Z

Link: CVE-2026-33399

cve-icon Vulnrichment

Updated: 2026-03-24T18:27:19.048Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T18:16:11.153

Modified: 2026-03-26T20:40:28.377

Link: CVE-2026-33399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:51Z

Weaknesses